For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

plavender_72604's avatar
plavender_72604
Icon for Nimbostratus rankNimbostratus
Jun 19, 2008

Irule to deny IPs in the XFF header

I wonder if someone can help with this one. I'm looking to find out whether it is possible to use an Irule that will look for the XFF header and deny a list of specified IP addresses from connecting to a virtual server. At the moment, we are only able to see the true client IP in the XFF field, so we are unable to deny traffic at the firewall level.

 

 

Hopefully someone can help

 

 

Thanks!
application delivery
dev
devops
iRules

1 Reply

  • Joe_Pruitt's avatar
    Joe_Pruitt
    Jun 19, 2008
    Something like this... 

    when HTTP_REQUEST { 
   if { [HTTP::header exists "X-Forwarded-For"] } { 
     set xff [HTTP::header "X-Forwarded-For"] 
      xff may be in format of addr1,addr2,addr3 
     set addrs [split $xff ","] 
     foreach addr $addrs { 
       switch $addr { 
         "10.10.10.10" - 
         "10.10.10.20" - 
         "10.10.10.30" { 
           reject 
         } 
       } 
     } 
   } 
 }

    Now depending on how many addresses you want to reject or if you want to reject based on subnets, you may want to use data groups with matchclass in a single statement like this. 

    when HTTP_REQUEST { 
   if { [HTTP::header exists "X-Forwarded-For"] } { 
     set xff [HTTP::header "X-Forwarded-For"] 
      xff may be in format of addr1,addr2,addr3 
     set addrs [split $xff ","] 
     foreach addr $addrs { 
       if { [matchclass $::banned_addr_list equals $addr] } { 
         reject 
       } 
     } 
   } 
 }

    There are many ways to approach this but hopefully this will get you going.

    -Joe